Extracting Artifacts from Memory
Extracting Artifacts from Memory
Memory contains numerous artifacts valuable for investigations:
Credentials and Authentication Data:
- Passwords in cleartext
- Hashed credentials
- Kerberos tickets
- SSH keys
- Browser saved passwords
Extraction Example:
# Extract Windows credentials
volatility -f memory.dmp --profile=Win7SP1x64 hashdump
volatility -f memory.dmp --profile=Win7SP1x64 lsadump
Command History and User Activity:
- Console history
- PowerShell commands
- Browser history
- Clipboard contents
- Recently accessed files
Network Artifacts:
- Active connections
- DNS cache
- ARP cache
- Routing tables
- Firewall rules